Spring Boot API 请求忽略 OAuth2 令牌并且可以在没有它的情况下运行

Question

我的 Spring Boot 项目中有 3 个配置用于实现 oauth2 sso 安全性，详情如下：

AuthorizationServerConfig.java

@Configuration
@EnableAuthorizationServer
@Order(10)
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

static final String CLIENT_ID = "xxxx";
static final String CLIENT_SECRET = "xxxxx"; 
static final String GRANT_TYPE = "password";
static final String AUTHORIZATION_CODE = "authorization_code";
static final String REFRESH_TOKEN = "refresh_token";
static final String IMPLICIT = "implicit";
static final String SCOPE_READ = "read";
static final String SCOPE_WRITE = "write";
static final String TRUST = "trust";
static final int ACCESS_TOKEN_VALIDITY_SECONDS = 1*60*60;
static final int REFRESH_TOKEN_VALIDITY_SECONDS = 60*60*24;

@Autowired
private TokenStore tokenStore;

@Autowired
private AuthenticationManager authenticationManager;

@Override
public void configure(ClientDetailsServiceConfigurer configurer) throws Exception {

    configurer
            .inMemory()
            .withClient(CLIENT_ID)
            .secret(CLIENT_SECRET)
            .authorizedGrantTypes(GRANT_TYPE, AUTHORIZATION_CODE, REFRESH_TOKEN, IMPLICIT )
            .scopes(SCOPE_READ, SCOPE_WRITE, TRUST)
            .accessTokenValiditySeconds(ACCESS_TOKEN_VALIDITY_SECONDS).
            refreshTokenValiditySeconds(REFRESH_TOKEN_VALIDITY_SECONDS);
}

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
    endpoints.tokenStore(tokenStore)
            .authenticationManager(authenticationManager);
     }
}

ResourceServerConfig.java

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

private static final String RESOURCE_ID = "resource_id";

@Override
public void configure(ResourceServerSecurityConfigurer resources) {
    resources.resourceId(RESOURCE_ID).stateless(false);
}

@Override
public void configure(HttpSecurity http) throws Exception {
    http.
            anonymous().disable()
            .authorizeRequests()
            .antMatchers("/api-docs/**").authenticated()
            .and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
     }
}

WebSecurityConfig.java

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(10)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements WebMvcConfigurer {

@Resource(name = "user-service")
private UserDetailsService userDetailsService;

@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
}

@Autowired
public void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(userDetailsService)
            .passwordEncoder(encoder());
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .csrf().disable()
            .anonymous().disable()
            .authorizeRequests()
            .antMatchers("/api-docs/**").permitAll();
}

@Bean
public TokenStore tokenStore() {
    return new InMemoryTokenStore();
}

@Bean
public BCryptPasswordEncoder encoder(){
    return new BCryptPasswordEncoder();
}

@Bean
public FilterRegistrationBean corsFilter() {
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    CorsConfiguration config = new CorsConfiguration();
    config.setAllowCredentials(true);
    config.addAllowedOrigin("*");
    config.addAllowedHeader("*");
    config.addAllowedMethod("*");
    source.registerCorsConfiguration("/**", config);
    FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
    bean.setOrder(0);
    return bean;
}

public void addCorsMappings(CorsRegistry registry) {
    registry.addMapping("/**");
    }
}

UserController.java

@RestController
@RequestMapping("/user")
@EnableResourceServer
public class UserController {

@Autowired
private UserService userService;

@PostMapping("")
@ResponseStatus(HttpStatus.OK)
@ApiOperation("Get All User")
public Map<String, Object> getAll(@RequestParam (value = "pageNumber", defaultValue = "1") Integer 
pageNumber,
        @RequestParam (value = "pageSize", defaultValue = "20") Integer pageSize,
        @RequestParam (value = "sortBy", defaultValue = "userId") String sortBy,
        @RequestParam (value = "sortDirection", defaultValue = "DESC") String sortDirection) throws 
 Exception{
    Map<String, Object> resultList = userService.findAll(pageNumber - 1, pageSize, sortBy.trim(), 
  sortDirection);
    
    if (resultList.get("dataCount").equals(0)) {
        throw new ResponseStatusException(HttpStatus.NOT_FOUND, "Data Tidak Ada");
    }
    
    return resultList;
}

@PostMapping(path="/create")
@ResponseBody
@ResponseStatus(HttpStatus.OK)
@ApiOperation("Create User")
public Map<String, Object> create(HttpServletRequest request, @RequestBody CreateUser dto) throws Exception{
    
    return userService.create(dto);
}


@PostMapping(path="/detail/{id}")
@ResponseBody
@ResponseStatus(HttpStatus.OK)
@ApiOperation("Find User by Id")
public Map<String, Object> detail(HttpServletRequest request, @PathVariable("id") String id) throws Exception{
    
    Map<String, Object> resultList = userService.findById(id);
    
    if (resultList.get("result") == null) {
        throw new ResponseStatusException(HttpStatus.NOT_FOUND, "Data Tidak Ditemukan");
    }
    
    return resultList;
}

@PostMapping(path = "/update/{id}")
@ResponseBody
@ResponseStatus(HttpStatus.OK)
@ApiOperation("Edit User")
public Map<String, Object> update(HttpServletRequest request, 
        @PathVariable("id") String id, 
        @RequestBody UpdateUser dto) throws Exception {

    Map<String, Object> resultList = userService.findById(id);
    if (resultList.get("result") == null) {
        throw new ResponseStatusException(HttpStatus.NOT_FOUND, "Data Tidak Ditemukan");
    }else {
        return userService.update(id, dto);
    }       
}

@PostMapping(path = "/delete/{id}")
@ResponseBody
@ResponseStatus(HttpStatus.OK)
@ApiOperation("Delete User")
public Object delete(HttpServletRequest request, @PathVariable("id") String id) throws Exception{
    
    Map<String, Object> resultList = userService.findById(id);
    
    if (resultList.get("result") == null) {
        throw new ResponseStatusException(HttpStatus.NOT_FOUND, "Data Tidak Ditemukan");
    }else {
        return userService.delete(id);
    }
}

@PostMapping(path = "/delete-user-role/{userId}/{roleId}")
@ResponseBody
@ResponseStatus(HttpStatus.OK)
@ApiOperation("Delete Role From User")
@Transactional
public Object deleteRoleFromUser(HttpServletRequest request, @PathVariable("userId") String userId, 
@PathVariable("roleId") String roleId) 
        throws Exception{
    
    return userService.deleteRoleFromUser(userId, roleId);

}

@PostMapping(path = "/add-user-role/{userId}/{roleId}")
@ResponseBody
@ResponseStatus(HttpStatus.OK)
@ApiOperation("Add Role To User")
public Object addRoleToUser(HttpServletRequest request, @PathVariable("userId") String userId, 
@PathVariable("roleId") String roleId) 
        throws Exception{
    
    return userService.addRoleToUser(userId, roleId);

    }
 }

然后，当我尝试使用此参数从邮递员那里获取 access_token 时，它起作用了

但是，当我尝试在授权参数或 url 的最后一张图片上不包含生成的 access_token 的情况下点击/使用 api 请求时，它可以运行并以某种方式忽略强制访问令牌的安全性。

如何解决这个问题？

Answer 1

看起来你的 WebSecurityConfig 配置不正确（它仍然允许所有请求通过），你可以像下面的代码一样更新配置方法 -

WebSecuirtyConfig.java

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .csrf().disable()
            .anonymous().disable()
            .authorizeRequests()
            .antMatchers("/api-docs/**").permitAll()
            .anyRequest().authenticated();
}

希望这会有所帮助！